03 Feb 2021
Cybersecurity Newsletter
Keeping an eye on cyber news and threats
Ransomware group FonixCrypter releases master decryption key
Cybercrime group FonixCrypter have decided to shut up shop on their ransomware operation and have deleted the source code, making the announcement on Twitter last Tuesday.
In an act of good faith, they’ve also released a package containing a decryption tool for those who have had their files encrypted and didn’t pay the ransom.
The decryption tool itself is legitimate and works, only decrypting one file at a time, but better than nothing that’s for sure.
They also claim they will try and use their abilities in positive ways in the future, but nobody is really sure what that means.
New ransomware hits the web
As one ransomware dies, another is born. Babuk Locker is the latest ransomware to come to light, but rather than attacking individuals, this one targets enterprise networks.
Babuk Locker has already infected five corporate networks, with the ransom amount ranging between $60,000 and $85,000, one of the companies has paid the ransom.
Although not particularly sophisticated, it does use some smart new tactics, such as multi-threading encryption and exploiting Windows Restart Manager. It may not be the worst out there, but one to watch out for.
The Trickbot trojan is back
Trickbot was a trojan virus that was taken out by Microsoft last year, but it appears that it has been resurrected with a few changes. The previous version used email attachments to deliver the payload, but this time it appears to be using phishing links which redirects victims to a compromised server. The users are then presented with a page that claims to have photo proof of a driving infringement and gives you a button to download the photos.
Of course, the photos don’t exist and instead when the victim clicks the download button, the virus is downloaded instead, which is a malicious JavaScript file.
After Microsoft disrupted the Trickbot operation last year, court orders were put in place to disable any IP addresses being used by the group behind the virus, but without any arrests the criminals behind Trickbot can just rebuild their infrastructure elsewhere.
It’s also been discovered that it may also be using Masscan which is an open source network scanning tool and Trickbot can use it to look for open ports or vulnerable systems that it can attack later and move laterally to infect other systems. It hasn’t been found in all of the Trickbot trojans though and believed to be a test module at the moment, but if successful could pose a real threat.
Watch out for an EE phishing scam
There’s an EE phishing email going around at the moment to watch out for, my friend posted a screenshot of one that he received on Facebook yesterday (image right).
The key giveaways here are the bad grammar in ‘we’ve renewal issue’ and the sense of urgency in that your payment has failed and you only have 3 days to fix it before they cut you off.
Keep any eye out for this and delete it if you see it.
On the topic of phishing, WV Solutions offer a phishing testing service. We can check how susceptible your employees are to phishing attempts and educate them on spotting them in the future, so that you can better protect your business.
To find out more visit our website www.wvsolutions.co.uk or see our phishing testing brochure here.
That’s all for now, see you next week.
Mike